Nowadays all major Linux distributions are using systemd-journald to handle locally generated system events, but you may still need a syslog agent if you want to forward them to a remote location – like a SIEM. Keep reading →
Sending events from our servers to a SIEM should be a pretty standard practice nowadays. However, in practice – it seems – still not clear what to send, and how to actually do this properly. Keep reading →
I’m already mentioned in my previous article about Traffic Analysis in Qubes OS, that the IDS system alerts and logs should be passed to a log management system where we can correlate them with other logs and alerts. That system can be called SIEM
However a real SIEM system makes sense in an enterprise environment only, because it is requires 7×24 monitoring, and it is also needs special knowledge and experience to analyze the results.